[BreachExchange] Carnival ransomware attack affected three brands

[Destry Winant]

https://www.securitymagazine.com/articles/93639-carnival-ransomware-attack-affected-three-brands

Carnival Corporation has disclosed that an Aug. 15 ransomware attack
accessed the personal data of guests and employees of Carnival Cruise
Line, Holland America Line and Seabourn. However, Carnival said there
is a "a low likelihood of the data being misused."

The group said: “While the investigation is ongoing, early indications
are that in early August the unauthorized third party gained access to
certain personal information relating to some guests, employees and
crew for three of the corporation’s brands – Carnival Cruise Line,
Holland America Line and Seabourn, as well as casino operations.”

“While how the third party gained unauthorized access has not been
disclosed, this is yet another example of the importance of proper
investment in cybersecurity programs to protect company and customer
data," says Terence Jackson, Chief Information Security Officer at
Thycotic. "Attackers are not taking it easy during the pandemic. They
are stepping the attacks up and we have to be ready.”

According to Caroline Thompson, Head of Underwriting at Cowbell Cyber,
ransomware is now targeting all industries and evolving into a new
form of data breach as criminals not only ‘steal access’ by placing a
bounty to regain access to data and assets, but also threaten to steal
the data itself.

"Moving forward, businesses should evaluate cyber insurance for every
coverage and assistance that the policy might provide prior, during
and after a cyber incident," Thompson adds. "Insurance underwriters
should refine their risk assessment approach by collecting data that
accounts for today’s new work-from-home model and also demand access
to cloud configurations (inside-out data) to refine their risk
selection. Furthermore, they should potentially decline coverages if
security best practices, such as multi-factor authentication (MFA) are
not implemented. Coverages addressing social engineering incidents and
ransomware should be revised with clear definitions on included or
excluded devices and adequate limits. Insurance offerings should be
built using data, artificial intelligence (AI) and continuous
underwriting – ingesting new data in real-time and rapidly respond to
today’s ever-changing threat landscape.  The increased complexity in
cyber insurance makes it a good time for policyholders to consider a
standalone cyber policy that brings clarity into what’s covered or
not, and provides adequate limits.”

Steve Durbin, Managing Director of the Information Security Forum,
notes that organizations should rethink their defensive model,
particularly business continuity and disaster recovery plans to
protect against the scale and scope of these types of threats.
"Established plans that depend on employees being able to work from
home, for example, do not stand up to an attack that removes
connectivity or personally targets individuals as a means of dropping
ransomware into the corporate infrastructure.  Revised plans should
cover threats to periods of operational downtime caused by attacks.
Creating a cyber-savvy workforce that takes information security
seriously, while nurturing a culture of trust, will help to eliminate
poor security practices as well as diminish the number and scale of
incidents,” Durbin says.